Trouble Shooting Help Needed

kiekar

Hello,

I've been having an issue updating my Kaspersky Database a little while now. The database is no longer updating. I'm on the latest version of pfSense and all latest packages updates. I viewed the Real Time access logs and noticed these entries.

1458484291.075    39 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3706 GET http://dnl-18.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.117.98.202 text/html
1458484297.498    12 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3704 GET http://dnl-04.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/4.28.136.36 text/html
1458484304.137    102 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3706 GET http://dnl-17.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.117.98.199 text/html
1458484310.421    13 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3707 GET http://dnl-10.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.124.168.116 text/html
1458484316.922    231 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3706 GET http://dnl-14.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.117.98.196 text/html
1458484323.204    12 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3707 GET http://dnl-11.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.124.168.116 text/html
1458484329.582    103 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3706 GET http://dnl-16.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.117.98.253 text/html
1458484335.893    13 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3707 GET http://dnl-07.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.124.168.125 text/html
1458484342.272    112 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3706 GET http://dnl-12.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.117.98.253 text/html
1458484348.786    112 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3707 GET http://dnl-09.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.124.168.119 text/html
1458484355.265    39 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3706 GET http://dnl-15.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.117.98.196 text/html
1458484361.658    122 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3706 GET http://dnl-13.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.117.98.202 text/html
1458484367.944    13 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3704 GET http://dnl-01.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/4.28.136.42 text/html
1458484377.578    270 192.168.2.182 TCP_MISS/503 3727 GET http://downloads6.kaspersky-labs.com/index/u1313g.xml.dif - ORIGINAL_DST/38.117.98.253 text/html
1458484603.675    892 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3719 GET http://dnl-07.geo.kaspersky.com/updaters/updater.xml.dif - ORIGINAL_DST/38.124.168.116 text/html

I'm not sure on how to configure pfSense to allow the connection to update my anti virus data base. Your help would be much appreciated.

heper

real time access logs of what? proxy ? try to disable it

kiekar

what? proxy

I'm using Squid3 0.4.7. Disabling it doesn't work.

johnpoz

are you using it explicit or implicit mode?  What are you rules on this network interface?  If you point a client to a proxy and then turn off the proxy, then yeah no shit not going to work.. If you use transparent and have rules to intercept traffic and only allow your proxy port again turning of the proxy is not going to work..

kiekar

I have squid set as transparent mode. Out bound is also blocked.

johnpoz

So you have a floating rule blocking outbound traffic on your wan?  OR you have snort installed doing it?

mer

With no packages and default rules on a pfSense box, Kaspersky IS updates just fine for me.

johnpoz

You can see from what he posted he has a outbound rule setup on his WAN that is blocking traffic to port 80.  If he would turn on listing the rule description in the log settings could tell you exactly which rule it is.  The only place you can set outbound rules in the floating tab.. So post up your floating tab so we can see the rules.

kiekar

I do have one floating rule which was auto generated from pfBlockerNG. I did change the settings for firewall logs which I was never aware of which pointed me to SNORT

Mar 20 16:48:58 Direction=OUT WAN Block snort2c hosts (1000000118) Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List xx.xxx.xxx.xxx:56894 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 38.124.168.116:80 TCP:S

I did check SNORT before but I couldn't see any of the IPs logged on the Alert Tab and Blocked Tab.

johnpoz

I really really wish they would be very large bold letter caveats when installing tools like pfblocker and for sure snort and even the proxy - that lack of understanding will BREAK your shit ;) hehehe

Snort can take quite a bit of tweaking of the rules before it is of anything other than log noise generation tool… Putting it into block mode before you have spent the required time tweaking the rule set to weed out noise, etc.. is just asking for shit to break..

While I like the idea of pfblocker, it too is a very quick and easy way to break shit when you don't understand its actual use.. Letting it auto create rules if you ask me is a REALLY BAD idea..  If you want to use it to block countries IP ranges, and or remove ads then use the rules in alias mode and place the specific rules you want.

In general letting stuff block stuff for you automatically is going to lead to shit not working, and you not understanding why..

As to the proxy, unless you have a bunch of puberty  age boys that your trying to block from porn ville it serves little use in anything other than a corp environment.. And just another thing that could break your shit for very little added benefit..